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Abstract 

We  show  that  if  there  exists  a  deterministic  oracle  that  can  determine  the 
sum  of  the  bits  in  the  binary  representation  of  x  when  presented  with  the  RSA 
encryption  of  x,  then  there  exists  a  probabilistic  algorithm  using  this  oracle  to 
recover  x  when  presented  with  the  RSA  encryption  of  x.  We  present  a  similar 
result  for  Rabin  encryption. 
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1.  Introduction 

While  an  encryption  function  may  be  computationally  infeasible  to  invert,  it 
may  be  easy  to  extract  valuable  partial  information  from  the  encrypted  data. 
This  problem  was  first  discussed  by  Micali  and  Goldwasser^  They  devise  an 
encryption  system  for  which  all  non-trivial,  easily  computed  predicates  of  the 
cleartext  are  secure  under  the  assumption  that  determining  quadratic  residuosity 
modulo  composite  numbers  is  hard.  However,  since  this  result  is  not  true  for  the 
RSA  or  Rabin  encryption,  it  is  important  to  determine  what  partial  information 
is  secure  for  these  encryptions.  Ben-Or,  Chor,  and  Shamir^  discuss  the  least 
significant  bit  predicate  and  show  that  it  is  as  secure  for  both  the  RSA  and 
Rabin  encryptions  as  the  encryptions  themselves.  In  our  paper  we  consider  the 
sum  of  bits  predicate  and  show  that  it  is  secure  in  the  same  sense. 

Blum,  Blum,  and  Shub^  have  designed  a  pseudo-random  number  generator 
using  the  least  significant  bit  of  a  Rabin  encryption.  We  believe  that  our  result 
might  be  used  to  form  the  basis  of  a  pseudo-random  number  generator  which  will 
be  faster  asymptotically  than  any  current  algorithm.  The  number  of  bits  in  the 
binary  representation  of  the  sum  of  the  bits  of  x  is  Ig  Ig  x,  but  is  only  1  for  the 
least  significant  bit  of  i;  thus  one  might  be  able  to  build  faster  pseudo-random 
number  generators. 

Our  main  result  is  the  following  theorem: 

Theorem:  If  there  exists  a  deterministic  oracle.  Sum  Of  Bits: 

Input:  The  encryption  E^{x)  where  x  is  chosen  from  and  Ej^{x) 
is  either  the  RSA  or  Rabin  encryption  of  x. 

Output:  S(i),  the  sum  of  bits  in  the  binary  representation  of  x, 

then  there  exists  a  probabilistic  algorithm  A: 

Input:  E^{x),  N 
Output:  X. 

Furthermore,  this  algorithm  runs  in  random  polynomial  time  in  the  length  of  N. 
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In  this  paper  we  will  present  this  algorithm  and  a  proof  of  its  correctness.  Our 
paper  makes  use  of  the  Ben-Or,  Chor,  Shamir  result: 

Let  Oi  be  a  deterministic  oracle  that  on  input  Ef^{x)  can  guess  the  least 
significant  bit  of  x,  such  that  for  a  random  x  in  the  probability  that  0^  will 

err  is  at  most  —  -  e  (for  some  fixed  e  >  0).  Then  there  is  a  random  polynomial- 
4 

time  algorithm,  using  ,  that  breaks  this  encryption. 


2.  The  Algorithm 

The  following  algorithm  computes  a  function  that  is  almost  the  least 
significant  bit;  we  call  it  ALSB{x).  More  formally,  we  compute 
AL SB :Z^-* {0,1},  a  function  such  that  ALSB{x)=  least  significant  bit  of  x  for 

O 

>  ±  4-  c  of  the  domain,  where  6  is  a  positive  constant  to  be  specified  later. 
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Procedure  ALSB 

Input:  N,  where  x  is  in  Z^. 

Output:  ALSB{x). 

Algorithm: 

Compute  £'^(x2"‘  mod  N)  =  Ef^{x)  mod  N)  mod  N 

Using  oracle  SOB  compute  E(x)  and  E(x2'^  mod  N) 

If  E(x)  yZ  E(x2"^  mod  N)  then  output  1 
else  output  0 


3.  Correctness  of  the  Algorithm 

The  intuition  behind  the  correctness  of  the  algorithm  is  that  for  even 
X,  E(x)=E(x2'^  mod  N),  and  therefore  the  algorithm  is  correct  for  these  inputs. 
The  hope  is  that  for  odd  x  the  algorithm  is  correct  frequently  enough  to  guaran¬ 
tee  the  necessary  probability  overall.  The  remainder  of  this  section  is  devoted  to 
proving  the  following  lemma. 
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Lemma  1:  Let  N  7^  2^-1  be  an  odd  integer.  For  at  least  —  +  €  of  the  odd 

At 

S(a:)  7^  E{x2-i  mod  iV). 

Throughout  this  paper  k  will  denote  2"^  mod  N  - 

odd  x^Z^,  r=r(x)  will  be  an  element  of  ^ at-i 

2 

prove  a  few  useful  facts  about  odd  ar’s. 

Fact  1:  S(x)=E(r)  +  1. 

Proof:  Obvious. 

Fact  2:  E(x2~^  mod  iV)=E(r+  k). 

Proof:  Using  straightforward  manipulations  we  see  that 

x2"^  mod  N  —  (2r+  1)(  mod  N  —  rN+  r+  ^  mod  N 

^  it 

=(r+  k)  mod  N. 

A/-2  N  -  2  N  4-  \ 

Since  x  <  N-l,  r  <  — ; -  and  r+  k  <  — - 1-  - - -  <  N.  Hence, 

2  2  2 

(r+  k)  mod  N  =  r+  k. 

Combining  these  two  facts  we  obtain  the  following: 

Fact  3:  E(x)=E(x2'*  mod  N)  if  and  only  if  E(r)+  1  =  E(r+  k). 

If  X  and  y  are  non-negative  integers,  let  C{x,y)  denote  the  number  of  carries 
induced  by  the  binary  addition  of  x  and  y.  Consider  the  following  example: 

1  111 

X  =  17io=  IOOOI2 
y  =  23io=  IOIII2 


N+1 

2 


Furthermore,  for  any 


such  that  x=2r-|- 1.  We  now 


x-h  y  =  40iq=  IOIOOO2. 
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Note  that  in  the  above  example,  E(a:)  =  2,  E(j/)  =  4,  C{x,y)  =  4  and 
S(x+  y)  =  2,  and  thus  C{x,y)  +  E(x+  y)  =  E(a:)  +  E(j/).  In  fact,  this  equal¬ 
ity  always  holds. 

Lemma  2:  C{x,y)  +  E(i  +  y)  =  -I-  S(y). 

The  reader  can  verify  the  lemma  by  considering  corresponding  binary  positions  in 
X,  y,  {x+  y)  and  the  carries  into  and  out  of  that  position.  We  use  Lemma  2  to 
convert  the  original  problem  to  a  more  convenient  form.  Combining  F act  3  and 
Lemma  2  we  obtain  the  following  corollary. 

Corollary:  E(2:)=E(x2"^  mod  N)  if  and  only  if  E(Ar)  =  C(k.r)+  1. 

We  wish  to  bound  the  number  of  odd  x  for  which  ALSB{x)  ^  LSB{x).  Since  we 
are  interested  in 

(odd  a:G^iv!S(x)=E(i2~^  mod  N)}, 

we  define 

B{k)  =  {r  I  E{k)=C{k,r)+  1,  where  0  <  r  <  =  Ar  -  2}. 

We  wish  to  prove  for  all  odd  N,  N  2^  -  I,  that  1 |  <  (y  -  for  some 

fixed  £  >  0.  Since  A:=2'“^  if  and  only  if  N—2^-l,  it  follows  that  E(Ar)=l  if  and 
only  if  N=2‘-l.  Therefore,  if  iV  ^  2'  -  1  then  0  ^  B{k),  since  C'(A:,0)=0  and 
E(A:)  ^  1.  This  enables  us  to  restrict  r  to  the  range  1  <  r  <  A:  -  2.  We  now 
consider  the  following  superset  of  B{k),  B*{k): 

B*(k)  =  {r  1  E(A:)  =  C{k,r)  -I-  1,  where  1  <  r  <  k}. 

We  are  also  interested  in  the  fraction  b{k)  =  Since  the  fraction  of  odd 

inputs  for  which  the  algorithm  answers  incorrectly  is  at  most  b{k),  it  is  sufficient 
to  show  b{k)  <  “  -  e  for  k  7^  2^“^ 

Claim:  b{k)=b{2k). 

Proof:  Note  that  k  ^  B*{k);  with  this  restriction  it  follows  that  reB*{k)  if  and 
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only  if  both  2reB*{2k)  and  2r+  1  E  B*{2k).  This  follows  from  considering  the 
binary  representations  of  r,  2r,  and  2r+ 1.  Since  both  2r  and  2r+l  are 
EB*{2k)  or  neither  are,  b{k)=b{2k)  follows. 

I 

Thus  we  are  only  required  to  prove  that  b{k)  <  (—  -  f),  for  some  fixed  c  >  0, 
for  odd  k  >  3. 

Lemma  3:  Let  r  be  an  even  integer  in  B*(k),  for  some  odd  k  >  3.  If  r£B*{k) 
then  r+  1  ^  B*{k). 

Proof:  Assume  rE5*(Jt),  so  that  E(t)  -  ^(r,^)  =  1.  We  will  show  that 
C(r,k)  ^  C(r+  l,k),  which  proves  the  claim.  Since  k  is  odd  and  r  is  even  there 
is  no  carry  out  of  the  least  significant  bit  when  adding  r  and  k.  However,  when 
adding  r  +  1  and  k  there  is  a  carry  out  of  the  least  significant  bit.  In  fact  this 
carry  propagates  up  to  the  least  significant  bit  position  such  that  r  and  k  are  0 
in  that  position.  To  the  left  of  this  position  the  carries  are  identical  and  to  the 
right  of  this  position  there  is  a  strictly  greater  number  of  carries  when  adding 
r+  1  and  k  than  when  adding  r  and  k. 

Using  the  fact  that  l^B*{k),  we  can  conclude  that  for  k  b{k)  <  y. 

Now  we  will  construct  a  constant  e  such  that  ^  ~  We  do  a  case 

analysis  on  the  form  of  the  binary  representation  of  k. 

We  first  consider  two  very  general  cases;  after  this  the  remaining  scattered 
cases  will  be  dealt  with  in  a  ad  hoc  fashion.  Our  notation  for  describing  these 
cases  is  borrowed  from  formal  language  theory. 

Suppose  that  it=l{0,l}^10{0,l}'"01  for  some  />!  and  m>0.  Consider  the 
proof  that  b{k)<—.  Since  l^B*{k),  we  pair  off  the  numbers  [2,3],  [4,5]  up  to 
[A:-1,A:].  (Recall  that  k  is  odd.)  By  Lemma  3,  we  know  that  for  every  pair  at  most 
one  of  each  pair  is  in  B*{k),  that  is,  bad.  In  order  to  prove  that  b{k)<^  -  e,  we 

need  to  show  that  for  a  fixed  fraction  of  the  pairs,  neither  number  in  the  pair  is 
bad.  Suppose  that  [r,r4- 1]  is  a  pair  where  one  of  r  and  r+ 1  is  bad.  Further 
assume  that  r  is  of  the  form,  OxQ^yOO  where  and  ^€{0,1}”*.  Consider 
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the  pair  [r'  ,r'  +  l]  where  r'  =OillOyOO.  It  is  not  hard  to  verify  that 

C(r,;t)<C'(r,A:)+  l=C{r+ l,k)<C{r’ ,k)=C(r' +  l,k)-l<C{r' +  l,k). 

These  inequalities  guarantee  that  if  either  of  r  or  r  +  1  is  bad,  then  neither  of  r' 
and  r'  +  l  is  bad.  One  can  show  that  this  procedure  is  in  fact  a  1-1  mapping 
between  pairs  of  the  appropriate  forms.  As  a  result,  this  mapping  proves  that  for 
1/32  of  the  pairs,  neither  number  is  bad.  This  proves  that  an  additional  1/64  of 

the  numbers  are  not  in  thus  6(I:)<y  -  for  I:  of  the  form  given  above. 

For  k  of  the  form  1{0,1}'10{0,1}”‘11  with  />!  and  m>0,  the  proof  is 
nearly  identical.  The  only  difference  is  that  we  consider  [r,r-|- 1]  pairs  with  r  of 
the  form  IxOOOylO,  where  2:€{0,1}'"^  and  ^£{0,1}'”.  In  this  case,  the  [r,r-Hl] 
pairs  get  mapped  to  [r'  ,r'  +  l]  pairs,  with  r‘  of  the  form  lxllOj/10. 

It  remains  to  consider  the  values  of  k  that  are  not  covered  by  the  previous 
two  cases.  We  can  show  that  the  remaining  possibilities  can  be  summarized  by 
the  following  six  cases: 

1.  k=l^] 

2.  )t=l'01; 

3.  A'  =  10'l'”; 

4.  iS;  =  10'l”‘01; 

5.  )l-=110'l”’; 

6.  A:=110'l"‘01; 

where  /,m>l  for  each  of  these  cases.  It  is  tedious  but  not  difficult  to  show  that 

for  each  of  these  cases  b{k)<^  - 
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4.  Conclusions 

In  this  paper  we  have  proved  that  determining  the  sum  of  bits  of  the  clear¬ 
text,  given  only  the  RSA  (Rabin)  encryption,  is  as  difficult  as  decrypting.  It  is 
significant  to  note  that  we  have  actually  proved  something  slightly  stronger.  The 
oracle  need  not  always  be  correct;  in  particular  the  oracle  may  lie  on  a  fixed  frac¬ 
tion  8  of  the  inputs,  where  8  <  Recently,  Vazirani  and  Vazirani^  have 

claimed  an  improvement  in  the  Ben-Or,  Chor,  Shamir  bound  of  ~  This 
result  allows  us  to  use  an  oracle  that  lies  a  greater  percentage  of  the  time. 
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